The fast-xml-parser library by NaturalIntelligence is widely used for XML parsing and validation in JavaScript environments without relying on native C/C++ libraries. Versions 5.0.9 through 5.3.3 contain a vulnerability (CVE-2026-25128) stemming from improper input validation (CWE-20) during numeric entity processing. Specifically, when the parser encounters XML numeric entities with code points outside the valid Unicode range (e.g., � or �), it triggers a RangeError exception that is not properly caught. This causes the parser—and consequently the host application—to crash. Since the parser is often used in server-side or client-side applications processing untrusted XML input, this can be exploited remotely to cause denial of service (DoS). The vulnerability does not allow code execution or data leakage but disrupts service availability. The issue was addressed in version 5.3.4 by adding proper input validation and exception handling to prevent crashes. No known exploits are currently in the wild, but the low complexity and lack of required privileges make this a significant risk. The CVSS v3.1 score of 7.5 reflects a network attack vector, low attack complexity, no privileges or user interaction needed, and an impact limited to availability.

For European organizations, this vulnerability poses a risk primarily to service availability. Applications that rely on fast-xml-parser for XML processing—such as web services, APIs, or middleware—may be crashed by maliciously crafted XML payloads, resulting in denial of service. This can disrupt business operations, degrade user experience, and potentially cause cascading failures in dependent systems. Industries with heavy XML usage, including finance, telecommunications, and government services, may face operational interruptions. Additionally, organizations using this library in cloud-native or microservices architectures could see amplified impact due to automated scaling or orchestration reacting to crashes. While no data confidentiality or integrity compromise is indicated, the availability impact can lead to reputational damage and financial loss. The absence of known exploits provides a window for proactive patching, but the ease of exploitation means attackers could develop exploits rapidly.

European organizations should immediately identify all instances of fast-xml-parser versions 5.0.9 through 5.3.3 in their software environments, including direct dependencies and transitive dependencies in their JavaScript projects. The primary mitigation is to upgrade to version 5.3.4 or later, where the vulnerability is fixed. For environments where immediate upgrade is not feasible, implement input validation and sanitization at the application boundary to reject XML inputs containing out-of-range numeric entities. Employ runtime exception handling to gracefully manage parser errors and prevent application crashes. Additionally, deploy Web Application Firewalls (WAFs) or XML gateways configured to detect and block malformed XML payloads. Monitor application logs for unexpected parser exceptions and crashes to detect potential exploitation attempts. Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates. Finally, conduct security testing on XML processing components to verify resilience against malformed inputs.